impersonation fails on 2K server

[Seth Darr]

I've got an ASP.NET web app that generates dynamic excel spreadsheets
via COM. It
does this work in a seperate subdirectory called "reports" and uses
impersonation of the ReportWriter account in its own Web.config file in
that directory.

ReportWriter is an account on the machine in the Administrator group,
yet I get the following error when I try and even visit the first page
in that directory (NOT when I try to first create a spreadsheet):

Server Error in '/subsurv' Application.
--------------------------------------------------------------------------------

Configuration Error
Description: An error occurred during the processing of a configuration
file required to service this request. Please review the specific error
details below and modify your configuration file appropriately.

Parser Error Message: Could not create Windows user token from the
credentials specified in the config file. Error from the operating
system 'A required privilege is not held by the client. '

Source Error:


Line 4: <system.web>
Line 5:
Line 6: <identity impersonate="true" userName="ReportWriter"
password="blahblahblah" />
Line 7: <customErrors mode="Off" />
Line 8: </system.web>


Source File: C:\Inetpub\wwwroot\subsurv\reports\web.config Line: 6


--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:1.0.3705.6018;
ASP.NET Version:1.0.3705.6018



The most aggrevating part is that it works just great on my development
machine. I have tried matching all IIS and user/group settings as
closely as possible. I have the same version of the .NET Framework on
both machines (1.0 SP3). I have tried uninstalling and reinstalling the
..NET Framework,
deleting and recreating the ReportWriter account. It doesn't seem to
want to impersonate ANY account, actually, it gets the same error. I
have added shares up the wazoo and probably a million
other stabs in the dark, to no effect.

Does anyone have any suggestions?! I'm relatively new to the .NET world,
but I think I've run out of ideas. Upgrading to the 1.1 Framework is
not an option at this point as I am still presently using VS Studio .NET
2002 and some initially testing on the 1.1 exposed some new bugs that I
don't want to address until I upgrade to VS .NET 2003.

HEEEELLPPP!!! Thanks in advance. If anyone needs to see any code or
whatnot I'll post it, but it doesn't seem to me to be a issue with my
code. My development machine is XP Pro, target machine is 2000 Server.

-Seth

[Joe Kaplan \(MVP - ADSI\)]

You can't use this syntax on Windows 2000 to impersonate when you are set up
with the default processModel, machine, because only system-level users have
rights to call the LogonUser API to create a token.

You can either switch to XP or 2003 which allow normal users to call the
LogonUser API, change your processModel to SYSTEM (reduces security for
ASP.NET), give the ASPNET account "act as part of the operating system"
privileges (also reduces security for ASP.NET), use a COM+ dll to do the
work with a different account, or abandon this approach.

Joe K.

"Seth Darr" <seth_darr@fishgame.state.ak.us> wrote in message
news:10mb2ivp91613d7@corp.supernews.com...

> I've got an ASP.NET web app that generates dynamic excel spreadsheets via
> COM. It
> does this work in a seperate subdirectory called "reports" and uses
> impersonation of the ReportWriter account in its own Web.config file in
> that directory.
>
> ReportWriter is an account on the machine in the Administrator group,
> yet I get the following error when I try and even visit the first page
> in that directory (NOT when I try to first create a spreadsheet):
>
> Server Error in '/subsurv' Application.
> --------------------------------------------------------------------------------
>
> Configuration Error
> Description: An error occurred during the processing of a configuration
> file required to service this request. Please review the specific error
> details below and modify your configuration file appropriately.
>
> Parser Error Message: Could not create Windows user token from the
> credentials specified in the config file. Error from the operating system
> 'A required privilege is not held by the client. '
>
> Source Error:
>
>
> Line 4: <system.web>
> Line 5:
> Line 6: <identity impersonate="true" userName="ReportWriter"
> password="blahblahblah" />
> Line 7: <customErrors mode="Off" />
> Line 8: </system.web>
>
>
> Source File: C:\Inetpub\wwwroot\subsurv\reports\web.config Line: 6
>
>
> --------------------------------------------------------------------------------
> Version Information: Microsoft .NET Framework Version:1.0.3705.6018;
> ASP.NET Version:1.0.3705.6018
>
>
>
> The most aggrevating part is that it works just great on my development
> machine. I have tried matching all IIS and user/group settings as closely
> as possible. I have the same version of the .NET Framework on both
> machines (1.0 SP3). I have tried uninstalling and reinstalling the .NET
> Framework,
> deleting and recreating the ReportWriter account. It doesn't seem to
> want to impersonate ANY account, actually, it gets the same error. I have
> added shares up the wazoo and probably a million
> other stabs in the dark, to no effect.
>
> Does anyone have any suggestions?! I'm relatively new to the .NET world,
> but I think I've run out of ideas. Upgrading to the 1.1 Framework is not
> an option at this point as I am still presently using VS Studio .NET 2002
> and some initially testing on the 1.1 exposed some new bugs that I
> don't want to address until I upgrade to VS .NET 2003.
>
> HEEEELLPPP!!! Thanks in advance. If anyone needs to see any code or
> whatnot I'll post it, but it doesn't seem to me to be a issue with my
> code. My development machine is XP Pro, target machine is 2000 Server.
>
> -Seth